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Abstract. We show that the Cao-Li cryptosystem proposed in |lj is not se- 
cure. Its private key can be reconstructed from its public key using elementary 
means such as L [/-decomposition and Euclidean algorithm. 



1. Description of the Cryptosystem 

The Cao-Li public key cryptosystem was first proposed in EJ. It encrypts mes- 
sages using a bilinear form that is chosen to permit easy decryption by the Chinese 
remainder theorem. Public key cryptosystems that are designed along this line are 
not uncommon in the Chinese cryptographic literature. However, as most of the 
original papers were published in Chinese, they remained relatively obscure until 
a few of them were described in [0 (in English) recently. Our description below is 
based on the latter reference. 

Let pi, . . . ,p n be n distinct primes where pi = 3 (mod 4). For i = 1, . . . , n, 
define 



m 



Compute for each m,-, an integer that satisfies m^rrii = 1 (mod pi) and < 
< pi. We define positive integers 

Xi := mjm, 

for i = 1, . . . , n and the diagonal matrix 

A := diag [Ai, . . . , A n ] . 

Note that 

(1) Xi = Sij (mod pj) 

where Sij is 1 if i = j and otherwise. 

We choose another two invertible nxn lower-triangular matrices Pi and Pi with 
non-negative integer entries that are bounded by 



(2) := win ' '"' 



i<i< n y i(i + l)d 

where d > 1 is a chosen positive integer. 

The secret key comprises the two matrices Pi, P2 and the primes pi, i = 1, . . . , n. 
The public key is the nxn symmetric matrix B given by 

B := P^PfAPiPa. 
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Let the message block be x = (xi, . . . ,x n ) where < Xi < d. The ciphertext y is 
computed as 

y = xBx T . 

If we let z := xP^Pf, then 

y = zAz T = AiZj H h \ n z 2 n . 

From (H), we have 

(3) z\=y (modpfc). 

Keeping in mind that P^f and Prf are upper-triangular and their entries are non- 
negative and bounded by /3, we have, from (|2|) and < Xi < d, that 

(4) 0<z fc <££d/3 2 ^/3 2 ^±^<|. 

z=l j=i 

We can carry out decryption as follows. For each k — 1, . . . , n, compute the unique 
z/;, satisfying (^) and (Q). The message can then be recovered by 

(5) x^p^r 1 - 

Note that since pk = 3 (mod 4), effective algorithms for computing square roots 
(mod pk) exist (see ||). 

2. Key Recovery 

We will first recover A from B. Let P1-P2 =: P = (pij)i<i,j<n- Then P is an 
invertible lower-triangular matrix with non-negative integral entries by the same 
properties of P\ and P%. Since P is invertible and has non-negative integral entries, 
we have detP = 1. Moreover, we also have detP = p\\ x ••• x p nn since P 
is triangular. As all the pus are non- negative, it then follows that pa = 1 for 
i = 1, . . . , n. 

A and P can be recovered from B using an algorithm that is very similar to 
the algorithm for L [/-decomposition of a matrix (the difference being that row 
reduction is done starting from the bottom rows). Denote the ith row of B by 
b; = (bji, . . . , bi n ), i = 1) . . . ,n. We know immediately that b nn = X n . 



Algorithm A 

Input. B = (h u . . . ,b n ) T = (fr tj )i< tJ <» 

Output. Ai,...,A„,P 

Step 1 . for i = n — 1, n — 2, . . . , 1 do 

for j = n, n — 1, . . . , i + 1 do 

hi <- hi - ^-hj; 

end; 

end; 

Step 2. for i = 1, . . . ,n do 
Aj < — bu', 
hi <- bj/Aj; 

end; 

P <- B ; 
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The following shows that Algorithm A indeed yields the required output. Let 
the ith row of P be p-j, i = 1, . . . , n. Since pji = if j < i and pa — 1, we may 
write hi = A^p^ + Y^j=%+\ ^jPjiPj- F° r each i = n — 1, n — 2, . . . , 1, the inner loop 
of Step 1 effectively does 

n , 

»> • »>- E r'v 

j=i+l 31 

We shall show inductively that is reduced to A;p^ at stage i: clearly b„ = A„p„; 
suppose hi is reduced to A^Pi at stage i = n — 1, . . . ,n — k, then at stage n — k — 1, 



— b„_ fc _! — ^ XjPjiPj 

j—n—k 
= An-fc-iPn-fc-i- 

Hence Step 1 reduces B = (bi,...,b„) T to (A„p„, . . . , A„p n ) T = AP. Since 
the diagonal entries of P are all l's, the diagonal entries of AP are the required 
Ai's. Consequently, P can be recovered by dividing each row by its corresponding 
diagonal entry. 

We can now recover the moduli pi,...,p n from Ai, . . . , A„. From ([!]), we see 
that for a fixed i, pi \ \j for all j ^ i and pi | Aj — 1. So 

Pi | di := gcd(Ai, . . . , Ai_i, A,; - 1, Ai+i, . . . , A„). 

It could of course happen that di ^ pi for some i. So this process only partially 
recovers the PiS. However our computer simulations (using C++ with LiDIA) show 
that instances where di ^ pi are rare. We shall give some heuristics to substantiate 
this claim. For di — pi, it is sufficient that gcd(m' 1; . . . , m' i _ 1 , m' i+1 , . . . , m' n ) = 1. 
From we have 

#{(ai,...,a fc ) € N fe | gcd(ai,...,a fe ) = 1, all Oj < N) 

jN k /C(k) + 0{N k - 1 ) iffc>2, 
' _ [6A 2 /tt 2 + 0(AlogA) iffc = 2. 

where ((s) = * _s ^ s ^he Riemann zeta function. Assuming that each is 

randomly distributed in {1, . . . , N} where N := max{pi, . . . ,p n }, the probability 
that gcd(TO' 1; . . . ,m'i_ 1 ,m' i+1 , . . . ,m' n ) = 1 is then at least ((n — 1) > 6/ir 2 « 0.60 
when N is large enough. So we can expect to recover more than half of the p^s. 
In fact our simulations show that we almost always have di = pi and many of the 
rare exceptions are of the form di — 2pi where pi can also be recovered easily. 



3. Conclusion 

Note that Algorithm A is essentially L [/-decomposition and the di's can be 
computed using the Euclidean algorithm. Since these two methods can be carried 
out efficiently, we can easily recover P and most of the piS. It then follows that 
the Cao-Li cryptosystem is insecure and thus should not be used. 
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